Featured Product
This Week in Quality Digest Live
Health Care Features
Jón Bergsteinsson
Understanding the standard is essential
Rob Moorey
Efficient processes and technology are key
Stephanie Ojeda
The FDA’s new QMSR will harmonize with ISO 13485 for medical device quality management
Steve Thompson
An excellent technological tool that improves quality and compliance
Delivering quality to the health industry

More Features

Health Care News
Study of intelligent noise reduction in pediatric study
Streamlines annual regulatory review for life sciences
The company is also facilitating donations to the cause
Mass spectromic analysis from iotaSciences
Showcasing the latest in digital transformation for validation professionals in life sciences
An expansion of its medical-device cybersecurity solution as independent services to all health systems
Purchase combines goals and complementary capabilities
Better compliance, outbreak forecasting, and prediction of pathogens such as listeria or salmonella
Links ZEISS research and capabilities in automated, high-resolution 3D imaging and analysis

More News

Barbara A. Cleary

Health Care

Ensuring Medical Data Safety Demands Quality Control

Data breaches cost health care nearly $6 billion annually

Published: Tuesday, January 25, 2011 - 05:00

A young man in PQ Systems' hometown survived a dramatic auto accident last summer in which police-captured video footage of his spectacular, airborne vehicle was broadcast throughout the nation. That was just the beginning of his problems, for during his hospitalization, his medical records were apparently accessed by unauthorized hospital personnel and leaked to those outside the hospital.

A recent dramatic case of health-care data breach occurred when gamers who were seeking bandwidth to play a video game accessed a server storing protected information on 230,000 patients at Seacoast Radiology in Rochester, New Hampshire.

News reports bring frequent stories about leaks that can cause not only embarrassment, but also legal action or threats to physical well-being.

Privacy violations, voiced as Health Insurance Portability and Accountability Act (HIPAA) or Office of Civil Rights (OCR) complaints, represent a serious threat to the maintenance of individuals' privacy in medical care, and seem to be on the rise. Not only a fraud issue, these violations reflect lapses in quality control, because data security represents a process that can be monitored, charted, and analyzed for improvement.

With data breaches costing the health care industry nearly $6 billion a year, a survey of 211 senior managers at 65 provider organizations conducted by Ponemon Institute, a research firm focusing on privacy, data protection, and information security policy, indicates that a significant number of these organizations cannot properly secure data. Respondents at 71 percent of the surveyed provider facilities—hospitals, delivery systems, and physician practices—reported inadequate resources, a lack of appropriately trained personnel (52%) and insufficient policies and procedures (69%) to detect or prevent breaches.

More troubling, many organizations do not perceive data security to be a priority. Protecting patient information is not a top priority at 70 percent of responding hospitals. Two-thirds of organizations have less than two staff dedicated to data protection management, the Ponemon study indicates. The institute cautions that with a small sample size, it is dangerous to generalize about the industry. Nonetheless, any data breach or privacy violation is troubling.

Privacy areas that are most often investigated by the Justice Department (with few criminal prosecutions, despite increasing numbers of complaints) are:
• Impermissible uses and disclosures of protected health information (PHI)
• Lack of safeguards of personal health information
• Lack of patient access to their PHI
• Uses or disclosures of more than the minimum necessary PHI
• Complaints to the covered entity


Health data security breaches, or medical information accessed inappropriately, affected more than 500 patient records in less than four weeks from Sept. 23 through Oct. 18, 2010, with a total for the year of 181 events affecting 5,017,217 patient records, according to an analysis by HIP/SA (figure 1). For the most part, the breaches are due to data theft. With increasing use of electronic data capture and storage in medical records, security breaches remain a concern.

Type of breach
Number of incidents Number of individuals affected
Theft 102 3,171,127
Unauthorized access 40 239,078
Loss 36 1,180,172
Improper disposal 12 71,209
Hacking/IT incident 11 93,739
Other 1 344,579

Figure 1: Health data security breaches from Sept. 23–Oct. 18, 2010

The question for the quality professional to consider is how traditional improvement tools and techniques can reduce breaches of health data security. These same tools have helped improve processes and products in manufacturing, education, and service industries around the world.

The answer? Data. Collecting data, as the chart above demonstrates, can pinpoint the kinds of breaches that are most common. A Pareto diagram (figure 2) will clearly identify the categories with the greatest impact. Further analysis of data will point to process breakdowns. If one were to analyze thefts, for example, disaggregating the data by time of day, personnel on duty, type of information that is stolen, whether it is electronic or physical access, or other markers, an improvement plan could be developed based on data. Information is derived from data analysis and actions can then be based on accurate information. The lack of physical safeguards continues to be one of the leading actionable complaints in the HIPAA privacy enforcement program.

Figure 2: Privacy breaches by type, Sept. 23–Oct. 18, 2010. (Click here for a larger image)

Another approach to data analysis might be to look more closely at other entities that have had to take corrective action to get into compliance with HIPAA standards. One might think that health-care management breaches occur in hospitals only, but this is clearly not the case. Potential entities include private medical practices, general hospitals, outpatient facilities, health plans, and pharmacies. A case in Texas, for example, involved  six independent pharmacies that filed a law suit against CVS Caremark, charging violations of the HIPAA privacy rule, among other offenses. CVS Caremark is a national pharmacy chain and mail-order pharmacy benefit management firm.

A growing sense of privacy breaches has emerged in financial and retail industries as well as in health care, of course. This is not a health care problem per se, but instead represents expanding technology that demands increased scrutiny of data management. This scrutiny depends on understanding the scope of the problem, and this is where information technology and data analysis play key roles. Without understanding what kinds of breaches occur, as well as their frequency and impact, any attempt to bolster data security will be simply a shot in the dark.


About The Author

Barbara A. Cleary’s picture

Barbara A. Cleary

Barbara A. Cleary, Ph.D., is a teacher at The Miami Valley School, an independent school in Dayton, Ohio, and has served on the board of education in Centerville, Ohio, for eight years—three years as president. She is corporate vice president of PQ Systems Inc., an international firm specializing in theory, process, and quality management. She holds a masters degree and a doctorate in English from the University of Nebraska. Cleary is author and co-author of five books on inspiring classroom learning in elementary schools using quality tools and techniques (i.e., cause and effect, continuous improvement, fishbone diagram, histogram, Pareto chart, root cause analysis, variation, etc.), and how to think through problems and use data effectively. She is a published poet and a writer of many articles in professional journals and magazines including CalLab, English Journal, Quality Progress, and Quality Digest.